AI Agents and Automated Decisions: What Law 25's Article 12.1 Requires

If you have read our overview of Law 25 obligations for Quebec SMBs, you already know that a well-designed AI agent is perfectly legal. But one provision in the law deserves a closer look, because it applies precisely to what agents do best: making decisions on your behalf.

Article 12.1 of Quebec's Law 25, the modernized Act respecting the protection of personal information in the private sector (P-39.1), has been in force since 22 September 2023. It governs fully automated decisions that affect individuals. This article explains what it requires and what can trigger it inside your SMB.

The short answer for the busy reader

When an AI agent makes a decision that affects a person (a customer, employee, or job candidate) and no human was involved in that decision, three obligations come into play under article 12.1:

1. Inform the person. You must notify them no later than when the decision is communicated to them.

2. Explain on request. If the person asks, you must describe the personal information used to make the decision, the principal factors and parameters that determined it, and remind them of their right to have inaccurate information corrected.

3. Offer a human review. You must give them the opportunity to present observations to a staff member who has the authority to reconsider the decision.

The keyword is "exclusively": article 12.1 applies only when the decision is based exclusively on automated processing. As soon as a human plays a genuine role, the obligation shifts. That line is also your main design lever.

The word "exclusively": why it changes everything

Picture two agents doing the same starting task: evaluating a customer financing request.

The first agent analyzes the file, calculates a score, and sends a response directly to the customer. No person has reviewed the file. That is an exclusively automated decision. Article 12.1 applies in full.

The second agent runs the same analysis, but for borderline files (a score between 60 and 75, say) it opens a ticket so an advisor can take a look before the decision is sent. That advisor approves, declines, or adjusts. A human participated in the decision. Article 12.1, in its strict sense, no longer applies the same way.

The difference between the two is not a legal workaround. It is a serious design choice. An agent that knows when to escalate to a human is also a better operational agent: it reduces costly errors, reserves genuine judgment calls for your team, and is easier to defend if a decision is challenged.

That said, the law does not specify how much human involvement is required. The Commission d'accès à l'information (CAI), the body that enforces Law 25, is the authority on this question. A purely formal review, with no real ability to influence the outcome, does not count as genuine human participation. If you build an agent with a human escalation step designed only to sidestep article 12.1, without anyone ever actually looking at the file, that is not serious design and is probably not compliant.

Four SMB scenarios that trigger article 12.1

Here are four types of use where article 12.1 comes directly into play.

Credit or financing approval or refusal

An agent analyzes a customer's repayment capacity and returns a response without any human reviewing the file. Exclusively automated decision, article 12.1 applies. The customer must be informed and must have the opportunity to request an explanation and a review.

Screening job applications

An agent reviews incoming resumes, applies selection criteria, and automatically rejects candidates who do not clear the filter. Rejected candidates never had a human look at their file. Same mechanism, same obligations.

Setting an insurance premium or a personalized rate

An agent evaluates a customer's profile and automatically assigns a premium or a differentiated rate. If that pricing is based on automated processing of personal information and no human validates it, article 12.1 applies.

Closing or suspending a customer account

An agent detects an anomaly (unusual transactions, non-payment, behavior that triggers an internal rule) and closes or suspends the account without human intervention. The affected person has the right to be informed, to request an explanation, and to request a review.

In each case, the person receives a response that changes something real for them, without ever having had the chance to speak to anyone. That is precisely the scenario article 12.1 is designed to address.

Three obligations, in practice

Here is what each of the three obligations actually requires, because the details matter.

Inform at the moment of the decision. The obligation is tied to timing: "no later than when the decision is communicated." The email announcing a refusal or an approval must contain, or be accompanied by, a notice explaining that an automated decision was made. Not buried in a privacy policy on page eight. In the communication itself.

Explain the factors on request. This is not a standing proactive obligation: you do not have to produce an explanation for every decision you render. But if the person asks, you must be able to tell them what information was used and what the principal factors and parameters were. That requires your agent to be designed so that this information is traceable and retrievable. An agent that makes decisions in a black box without leaving any record cannot meet this obligation.

Provide the opportunity for a human review. The law says "the opportunity to present observations to a staff member" who can reconsider the decision. That means you have a process for receiving these review requests and that a person with the authority to change the decision responds within a reasonable timeframe.

These three obligations have a direct impact on how you build and operate an agent. If you plan ahead of deployment how you will meet each one, the design is much cleaner. If you think about it afterward, it is a rebuild. This is one reason why a privacy impact assessment (PIA) before deploying an agent is not just a box to check: it forces this reflection at the right moment.

Human escalation as an architecture choice

The human review obligation in article 12.1 looks like one more constraint. It is mostly a design principle you should have applied anyway.

An agent that handles high-stakes decisions (credit refusals, rejected applications, account closures) without ever involving a human for edge cases is a fragile agent. Edge cases, by definition, are where automated decisions are least reliable. They are also the ones that generate the most disputes, which cost you time and reputation.

An agent designed to escalate selectively (clear-cut cases it handles alone, ambiguous ones it flags to someone) is more robust, easier to audit, and simpler to defend if a complaint reaches the CAI. This is not a trade-off between speed and compliance. It is the design that wins on both counts.

The question to ask yourself before deploying: for each type of decision this agent makes, do I know where the line is between the cases I hand off to it entirely and the ones it needs to escalate? If you do not have a clear answer, article 12.1 is not your only problem.

AI used by your employees without a framework

Article 12.1 speaks to decisions made by your company, not only by official agents you have deployed. If your employees use AI tools on their own to speed up decisions that affect individuals, without any clear framework from you, the question of corporate liability remains fully open. That is the subject of the article on managing AI tools used by your employees.

Where to start

If you have an agent in production or a project underway, put these three questions to your technical team.

Which decisions does this agent make alone, without human involvement? For each one, is there a notification at the moment of the decision and a review mechanism on request? How do we retrieve the factors that influenced a given decision if someone challenges it?

If you cannot answer those three questions, that is where you start, before any further development.

If you want to work through this together, the first conversation is free. 30 minutes to look at your specific cases, identify what triggers article 12.1, and see how to design your agents to be both effective and compliant.

First conversation, no commitment

This is plain-language education, not legal advice. The legislation on LégisQuébec and the Commission d'accès à l'information (CAI) are the references that prevail.